package java.Bad.Test_Cast_ID_2163;

/* This software was developed at the National Institute of Standards and
 * Technology by employees of the Federal Government in the course of their
 * official duties. Pursuant to title 17 Section 105 of the United States
 * Code this software is not subject to copyright protection and is in the
 * public domain. NIST assumes no responsibility whatsoever for its use by
 * other parties, and makes no guarantees, expressed or implied, about its
 * quality, reliability, or any other characteristic.
 * We would appreciate acknowledgement if the software is used.
 * The SAMATE project website is: http://samate.nist.gov
 */

/*
 * This servlet implements an SQL injection vulnerability
 * Parameters:
 *   - name: source of the vulnerability
 * Example:
 *   - url: http://server_address/path_to_servlet/SQLInjection_089?name=' OR ''='
 */

import java.io.IOException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.SQLException;
import java.util.logging.Logger;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.servlet.ServletException;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.sql.DataSource;

public class SQLInjection_scope_089 extends HttpServlet {
	private static final long serialVersionUID = 1L;

	public SQLInjection_scope_089() {
		super();
	}

	// Method which will be called to handle HTTP GET requests
	protected void doGet(HttpServletRequest req, HttpServletResponse resp)
			throws ServletException, IOException {
		Connection conn = null;

		// Get the parameter "name" from the data provided by the user
		String name = req.getParameter("name");

		// Initialize the output stream
		resp.setContentType("text/html");
		ServletOutputStream out = resp.getOutputStream();
		out.println("<HTML><BODY><blockquote><pre>");

		try {
			// Set the context factory to use to create the initial context
			System.setProperty(Context.INITIAL_CONTEXT_FACTORY,
					"your.ContextFactory");

			// Create the initial context and use it to lookup the data source
			InitialContext ic = new InitialContext();
			DataSource dataSrc = (DataSource) ic
					.lookup("java:comp/env/jdbc:/mydb");

			// Create a connection to the SQL database from the data source
			conn = dataSrc.getConnection();

			// Send an unsanitized SQL request to the database, which may result
			// in SQL injection
			PreparedStatement p = function(conn, name);
			p.executeQuery();
		} catch (NamingException e) {
			out.println("Naming exception");
		} catch (SQLException e) {
			out.println("SQL exception");
		} finally {
			try {
				if (conn != null)
					conn.close();
			} catch (SQLException se) {
				out.println("SQL Exception");
			}
		}

		out.println("</pre></blockquote></body></html>");
	}

	protected void doPost(HttpServletRequest request,
			HttpServletResponse response) throws ServletException, IOException {
	}

	public PreparedStatement function(Connection conn, String name) {
		PreparedStatement p = null;
		try {
			// BUG
			// this unsanitized SQL request may result in SQL injection
			p = conn
					.prepareStatement("SELECT * FROM users WHERE firstname LIKE '"
							+ name + "'");
		} catch (SQLException se) {
			final Logger logger = Logger.getAnonymousLogger();
			String exception = "Exception " + se;
			logger.warning(exception);
		}
		return p;
	}
}
